TL;DR

  • A takeover happens when a subdomain points to an unclaimed external service.
  • Look for dangling CNAMEs to SaaS providers.
  • Confirm by matching known error messages and claiming the resource (if allowed).

What It Is

A subdomain takeover occurs when sub.example.com points to an external service that no longer has a resource configured. If the DNS record still exists, an attacker may claim the resource and control the subdomain.

Common Targets

  • *.herokuapp.com
  • *.github.io
  • *.cloudfront.net
  • *.s3.amazonaws.com
  • *.azurewebsites.net

Detection Flow

  1. Enumerate subdomains.
  2. Resolve DNS and identify CNAME targets.
  3. Check target response for "not found" or "no such app" errors.
  4. Verify the service allows claiming the resource.

Tools

  • subfinder, assetfinder, amass, dnsx
  • subjack, tko-subs, nuclei takeover templates

Notes

  • Always verify scope and provider rules before claiming.
  • Keep evidence (DNS records, error pages).